[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access
jra at samba.org
Fri Mar 1 22:45:20 UTC 2019
On Fri, Mar 01, 2019 at 07:17:35PM +0100, Ralph Böhme wrote:
> On Fri, Mar 01, 2019 at 06:42:05PM +0100, Ralph Böhme wrote:
> > On Fri, Mar 01, 2019 at 05:59:20PM +0100, Ralph Böhme wrote:
> > > On Fri, Mar 01, 2019 at 08:42:19AM -0800, Jeremy Allison wrote:
> > > > I'll take a look, but if you've allowed these new tests
> > > > to pass whilst simplifying the algorithm I'm all in favour :-).
> > >
> > > yeah, but it's a really subtle change with security implications.
> > >
> > > I still have to do a larger rewrite, so I think you can ignore the
> > > patches for now. I'll update here once I have something in shape for
> > > curious eyes. :)
> > ok, this ones looks much better. WIP patchset attached.
> yeah, this seems to be going in the right direction. We can split the main
> patch with the fix into two individual patches, fixing the OWNER-RIGHTS-DENY
> and OWNER-RIGHTS-DENY1 tests individually, better demonstrating the problem.
> And then I'd say OWNER-RIGHTS-DENY1 is a different bug.
OK, I've gone through the rewrites here of:
access_check_max_allowed() and se_access_check()
and they both look really clean and readable - well done !
Plus went through the new tests and they all
look reasonable to me.
Let me know when you're done and I'll review with
a view to pushing to master !
More information about the samba-technical